Skills
skills/aicoincom/coinos-skills/aicoin-market/Gen Agent Trust Hub

aicoin-market

Pass

Audited by Gen Agent Trust Hub on Apr 28, 2026

Risk Level: SAFECREDENTIALS_UNSAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The file lib/defaults.json contains hardcoded public API credentials (accessKeyId and accessSecret) intended for free-tier access to the AiCoin service.
  • [PROMPT_INJECTION]: The skill processes untrusted external data, which presents an indirect prompt injection surface. * Ingestion points: Content from crypto news and Twitter feeds is retrieved in scripts/news.mjs, scripts/newsflash.mjs, and scripts/twitter.mjs. * Boundary markers: There are no specific delimiters used to isolate external content in the script output. * Capability inventory: The skill is restricted to fetching data and managing its own configuration in .env files. * Sanitization: No sanitization is performed on the text of news or tweets before it is passed to the agent.
  • [DATA_EXFILTRATION]: The skill accesses local .env files to read and update API keys in scripts/coin.mjs and lib/aicoin-api.mjs. This is a documented administrative feature for local setup.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 28, 2026, 04:31 AM